Wireless Carriers Busted Sharing User 911 Location Data

from the bottomless-well-of-dysfunction dept

Recent scandals involving companies like Securus and LocationSmart made it clear that cellular carriers are collecting and selling an ocean of user location data without any meaningful oversight. Several reports have highlighted how that data is then being routinely abused by everybody from ethically dubious local Sheriffs to bounty hunters. Subsequent investigations have shown how easy it is for bounty hunters and others to access this data, and how the FCC under several administrations has failed utterly to hold cellular carriers and data brokers accountable for any of it.

This week, Motherboard exposed another location data scandal with a report highlighting how cellular carriers are also selling private user A-GPS data with companies that aren't supposed to have access to it. A-GPS, or assisted GPS, involves using a device's onboard GPS chip as well as cellular network data to more quickly and precisely determine a user's location. Wireless industry filings with the government indicate this data can pinpoint a user's location indoors up to 50 meters; more precisely if a device's MAC and Bluetooth data are also utilized.

Motherboard's investigation focused specifically on a now-defunct location data broker by the name of CerCareOne, which had been selling cellular user location data -- including A-GPS data-- as recently as 2017. As with the other scandals, this scandal involves a universe of shady middlemen who buy and sell an ocean of such data, often without carriers understanding (or bothering to understand) how widespread the practice had become:

"Like with the companies involved in Motherboard’s previous investigation, CerCareOne’s real-time location data trickled down first from telecom companies, and then to a so-called location aggregator called Locaid. From there, Locaid sold that data access to a number of different companies, including CerCareOne, which in turn sold it to its own clients. Locaid was purchased by a company called LocationSmart in 2015 . The documents Motherboard obtained indicate that LocationSmart continued to sell data to CerCareOne after it obtained Locaid, and LocationSmart confirmed that to Motherboard."

The scale of the data collection was... not subtle:

"CerCareOne’s phone tracking service was not a one-off tool for bounty hunters and bail agents. A list of a particular customer’s phone pings obtained by Motherboard stretches on for around 450 pages, with more than 18,000 individual phone location requests in just over a year of activity. The bail bonds firm that initiated the pings did not respond to questions asking whether they obtained consent for locating the phones, or what the pings were for.

Another set of data is more than 250 pages long and covers around 10,000 phone pings. Another list of a different bounty hunter’s activity includes nearly 1,000 phone location requests in less than a year; a third details more than 4,500 pings."

The irony in this instance is that the FCC had crafted rules to specifically address this problem. Back in 2015 as the FCC was contemplating some new rules for enhanced 911 services, a coalition of privacy and consumer groups (including Public Knowledge, the EFF, and the ACLU) had written the agency warning that A-GPS and other granular data specifically used to aid in pinpointing 911 caller location (especially indoors) created the potential for some major privacy issues:

"The development of highly-precise location technologies designed to comply with the new regulations will raise a host of privacy concerns that have not been sufficiently addressed in the E911 proceeding. Public safety should not come at the expense of consumer privacy—nor should it have to."

The FCC obliged, and in 2017 finalized rules with carrier approval that specifically stated that this kind of A-GPS data should never be used for any purpose other than tracking user location for emergency services:

"CMRS providers must certify that they will not use the NEAD or associated data for any non-911 purpose, except as otherwise required by law."

Many carriers claim to have completely stopped sharing this and other forms of location data entirely with data brokers or anybody else. But it's going to take a comprehensive investigation to not only confirm that, but also to confirm that they're not currently engaging in even worse behavior. Especially since every time we think we've gotten to the bottom of this scandal, the floor drops out revealing countless additional layers beneath.

Even with Ajit Pai's efforts to neuter FCC authority over ISPs, I've spoken to at least four telecom and privacy experts who say the FCC very clearly has the authority and responsibility to stop this sharing of private data, they've just chosen not to -- despite the fact the agency had the foresight to craft rules specifically designed to stop this from happening.